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Abstract: We present a generic design of abstract machines for non-deterministic programming 
languages, such as process calculi or concurrent lambda calculi, that provides a simple way to 
implement them. Such a machine traverses a term in the search for a redex, making non-deterministic 
choices when several paths are possible and backtracking when it reaches a dead end, i.e., an 
irreducible subterm. The search is guaranteed to terminate thanks to term annotations the machine 
introduces along the way. 

We show how to automatically derive a non-deterministic abstract machine from a zipper semantics— 
a form of structural operational semantics in which the decomposition process of a term into a 
context and a redex is made explicit. The derivation method ensures the soundness and completeness 
of the machines w.r.t. the zipper semantics. 
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Machines abstraites non dćterministes 


Résumé : Nous proposons une présentation uniforme des machines abstraites pour les 
langages non déterministes, tels que les calculs de processus ou les lambda-calculs concurrents, 
qui permet de les implémenter facilement. Une telle machine traverse le terme à la recherche 
d’un redex, en faisant des choix arbitraires lorsque plusieurs chemins sont possibles, et en 
retournant en arrière lorsqu elle atteint un cul-de-sac, c’est-à-dire un terme irreductible. Nous 
garantissons la terminaison de la recherche grâce aux annotations que la machine ajoute en 
cours de route. 

Nous montrons comment dériver automatiquement une machine non déterministe depuis 
une sémantique zipper—une forme de sémantique opérationnelle structurelle dans laquelle la 
décomposition d’un terme en un contexte et un redex apparaît explicitement. La méthode de 
dérivation garantit la correction et la complétude de la machine par rapport à la sémantique 


zipper. 
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1) Introduction 


Abstract machines, i.e., first-order tail-recursive transition systems for term reduction, such 
as SECD [28], CEK [12], and the KAM [27], are a traditional and celebrated artifact in 
the area of programming languages based on the À-calculus. They serve both as a form 
of operational semantics [11, 12,28] and an implementation model [25,32] of programming 
languages, but they also play a role in other areas, e.g., in proof theory [27], higher-order 
model checking [40], or cost models [1]. They are used as an implementation model also in 
concurrent languages [15, 17,33, 36,45], in particular to study distribution [4, 18-20, 23, 37]. 

Since in general designing a new abstract machine is a serious undertaking, several 
frameworks supporting mechanical or even automatic derivations of abstract machines from 
other forms of semantics have been developed [2,6,22,43]. However, these frameworks assume 
a language that satisfies the unique decomposition property [6,10], which entails that at each 
step one specific redex is selected, and thus the language follows a deterministic reduction 
strategy. This property does not hold in non-deterministic languages such as process calculi 
(or even in the A-calculus without a fixed reduction strategy) and the existing methodology 
cannot be applied. Existing machines for non-deterministic languages are ad-hoc and may 
not be complete, i.e., not all reduction paths of the language can be simulated by the 
corresponding abstract machine [15, 17, 19,33, 45]. 

This work presents a generic framework for the definition of complete abstract machines 
that implement a non-deterministic reduction relation in a systematic way. The idea is to go 
through a term to find a redex without following a specific strategy, picking arbitrarily a 
subterm when several are available—e.g., going left or right of an application in A-calculus. 
The two main ideas are: (1) the machine should not remain stuck when it chooses a subterm 
which cannot reduce—in such a case we make it backtrack to its last choice; (2) the machine 
should not endlessly loop searching for redexes in subterms which cannot reduce—the machine 
annotates the subterms which are normal forms to prevent itself from visiting them again. 

Non-deterministic machines designed in this way can be complex even for small languages, 
therefore we show how to generate them automatically from an intermediary zipper semantics. 
This semantics, inspired by Huet [24], is a form of structural operational semantics (SOS) [39] 
that remembers the current position in a term by building a context, i.e., a syntactic 
object that represents a term with a hole [13]. This format of semantics makes it explicit 
how a term is decomposed into a context and a redex, and thus it can be seen as a non- 
deterministic counterpart of the decomposition function in (deterministic) context-based 
reduction semantics [9,14]. While deterministic reduction semantics is directly implementable 
and the corresponding abstract machine can be viewed (roughly) as its optimization [10], 
non-deterministic reduction semantics, even when expressed as a zipper semantics, requires 
non-trivial instrumentation to become implementable in a complete way. Deriving the non- 
deterministic abstract machine (NDAM) from the zipper semantics consists exactly in such 
an instrumentation with the backtracking mechanism and normal-form annotations. We show 
how to derive an NDAM from an arbitrary zipper semantics that satisfies minimal conditions, 
and we prove that the resulting NDAM is sound and complete w.r.t. the semantics. Our 
approach applies in particular to process calculi, for which the abstract machines defined so 


far were ad-hoc and usually not complete. 
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B Figure 1 Zipper semantics for the A-calculus 


The contributions of this paper are: (1) a generic design of sound and complete, non- 
deterministic abstract machines which cannot get stuck or infinitely loop in a redex search, (2) 
with a systematic derivation procedure from an intermediary format, called zipper semantics. 
'The resulting machine is an implementation of the non-deterministic source language. 

We illustrate our method on the A-calculus without a fixed reduction strategy and on 
a minimal process calculus HOcore [30], respectively in Sections 2 and 3. We then give a 
derivation procedure of an NDAM from an arbitrary zipper semantics in Section 4. We 
discuss related work in Section 5 and future work in Section 6. The appendix contains the 
proofs missing from the body of the paper and a further example: the zipper semantics and 
abstract machine of HO7 [41] that extends HOcore with name restriction. An implementation 
of the derivation procedure is also available [5]. 


“24 Lambda-calculus 


As a warm-up example, we present the zipper semantics and the corresponding NDAM for 
the A-calculus with no fixed reduction strategy. 
2.1 Syntax and Context-based Reduction Semantics 


We let t, s range over A-terms. We denote application with an explicit operator @ to annotate 
it later on. We represent a context E as a list of elementary contexts called frames $. 


tsu=a | Azt | t@s $:=A1x | @t | t@ E,F,G:=e | $:E 


Because it is more convenient for the definition of the machine, we interpret contexts inside- 
out [11]: the head of the context is the innermost frame. The definition of plugging a term 
in a context Ell is therefore as follows: 


ell äi (Acs ES Epct] — (os:EJ[tSE[tos] (s@:E)[t] 2 E[sat] 


We write t(s/z) for the capture-avoiding substitution of x by s in t, and define the context- 
based reduction semantics —, of the A-calculus by the following rule 


JA Opel rs E[t{s/x}] 


which can be read declaratively: if we find a redex in a context E built according to the 
given grammar of contexts, then we can reduce. This format of semantics does not make it 


apparent how to decompose a term to find a redex. On the other hand, structural operational 
semantics offers another common semantic format that makes it more explicit how to navigate 


in a term to find a redex, but it does not store the traversed path. 
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2.2 Zipper Semantics 


A first step towards an abstract machine is to make explicit the step-by-step decomposition of 
a term into a context and a redex. To this end, we propose zipper semantics, a combination 
of SOS and reduction semantics. Like a regular SOS, a zipper semantics goes through a term 
looking for a redex using structural rules, except the current position in the term is made 
explicit with a context as in reduction semantics. 

The zipper semantics for the À-calculus is defined in Figure 1. It looks for a B-redex while 
constructing the surrounding context E at the same time. The decomposition happens in the 
rules appL, appR, and appÀ, where we search for a redex by descending into the appropriate 
subterm of a given term. Each of these rules corresponds to a frame, with init initiating the 
search by setting the context to e. 

These rules actually look for the application at the root of the B-redex; checking that 
an application t Q s is indeed a B-redex is done by the rule appf. It relies on an auxiliary 


transition t SÉ H. which checks that its source is indeed a A-abstraction. In that case, we 
can B-reduce with rule lam. We can see that computation only occurs in the axiom; the 
other rules are simply propagating the result unchanged. 

One may wonder why we need the rules appf and lamp while a single axiom (Ax.t) @ s Sung 
'[t(s/x)]| is enough to recognize a B-redex. The reason is that we restrict ourselves to patterns 
discriminating only the head constructor of a term, to remain close to an abstract machine 
where the decomposition of a term occurs only one operator at a time. 

We prove that the zipper semantics and reduction semantics coincide in Appendix A. 


> Example 1. To illustrate further how to recognize a redex one operator at a time, suppose 
we restrict the argument of the B-redex to a value v ::= x | At, so that E[(Ax.t) Q v] +; 


i[t{v/2}]. In such a case, we would need an extra transition s Ed , checking that s is a 
value. The rule lam would be replaced by the rule lam" below. 


lamp" 
mE y var" lam" 
SV 
s,E / æ,t,E a æ,t,E » 
At —>Iam t y =>, E[t(y/xj] Ay.s ———, E[t{Ay.s/x}] 


2.3 Non-Deterministic Abstract Machine 


Design principles. Zipper semantics describes how to decompose a term into a redex and a 
context, but it is not yet an implementation, as it does not explain what to do when several 
rules can be applied, like appL, appR, and app. The NDAM simply picks one of them, and 
backtracks if it reaches a dead-end. We present how we implement this backtracking and how 
it can be derived from the zipper rules, before giving the formal definition of the NDAM. 

'The decomposition at work in the zipper semantics rules can be turned into machine 
steps: we see the change of focus occurring in the source term between the conclusion and 
the premise. We introduce a machine mode for each transition kind (here, app and lam), and 
the rules appL, appR, and appf are translated to the following forward machine steps, with | 
separating the term from the context: 


(t Q s |E)app > (t | Q s :: ap, (tQ s | aso ie (s|£Q:: E)app {t@8|E)app — (t| s, Etam 


We see why interpreting the context inside-out is convenient: focusing on t in E[t Q s] amounts 
to pushing the frame @ s on top of E. It is the same as decomposing the term as (Q s :: E)[t]: 


the innermost constructor becomes the topmost one in the context. 
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The resulting machine is non-deterministic as three different steps can be taken from the 
configuration (t @s|E)app. Unlike typical deterministic machines, it does not implement a 
strategy and does not choose, e.g., to always go left of an application as in the KAM [27]. 
A consequence is that the machine can make a wrong choice, i.e., focus on a term which 
cannot reduce, like a variable. In such cases, we want the machine to backtrack to the last 
configuration for which a choice had to be made, and no further. To do so, we record the 
applied rules in a stack m. When we reach a term which cannot reduce, we switch to a 
backtracking mode (here, bapp) where we can *unapply" a rule. 


tAs;r| Exp — (t; appL : r |Qs:: EJapp 
(mim Dapp > (15 2 | )bapp 


<appL::75t|@s:: E)bapp > (tQ 55m | E)app 


The machine may try other rules on t@s, e.g., to find a redex in s. However, it should 
not try appL again, as the backtracking step implies there is no redex in t. We refer to 
backtracking steps like the last one as backward, and to steps like the middle one as switching. 
'The backward step is simply the reverse of the corresponding forward step. 

We prevent the machine from choosing a previously explored path by annotating the root 
operator of an already tested subterm. An annotation t Q?PP s means that t à s has already 
been tried for i transitions and is a normal form for it. Similarly, a term annotated lam 


is a normal form w.r.t. 25am (it is not a A-abstraction). A term can be annotated with 
both app and lam, for instance if it is a variable. 

'The machine can take a forward step only if the term in focus has not been already tested. 
For t à s, we try appL (resp. appR) only if t (resp. s) is not annotated app, and appf only 
if t is not annotated lam. If none of the steps applies because of the annotations, then all 
possible rules have been tried and t Qs is a normal form for app: the machine backtracks 
and annotates the term accordingly. In what follows, © represents an annotation set. 


(x? 37 |E)app > (ni 2 {PP} LES, 


(t GP s; m Ben > (m; t GP PP} 5 | E)papp if no other step applies 


Switching steps are of two kinds: either the language construct does not have a forward step 
for a given mode (like a variable in the app mode), or all possible rules have been tried for 
the construct. They both can be derived from the zipper semantics by looking at which rule 
can be applied to each construct. This derivation is made easier by the constraint that the 
decomposition occurs one operator at a time in zipper rules. If we allowed for more complex 
patterns such as (Az.t) @ s, we would have to create a switching step for the terms not fitting 
this pattern, like z à s, and enumerating these anti-patterns would be more difficult [26]. 

Finally, because we store the annotations of a term in its root operator, we need to 
remember them when a forward step removes the operator, to be able to restore them when 
we backtrack. We do so in the stack m. 


(t @™ s; T|E)app > (t: (appL, X) :: r | @ s :: E)app 
((appL, Z) :: rst | Q s :: Ejpapp > (tQ sim | E)app 


In this simple example we could do without the stack because the contexts encode precisely 
the rules that have been applied along the way. In general, however, a single context cannot 
always reflect the derivation tree, as we can see in the HOr example (Appendix C). 

The next example illustrates how annotations work, and also that they may no longer 


hold after reduction. Therefore they should be erased before searching for the next redex. 
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> Example 2. Let Q 4 (AZ 2.2% Q9 r2) QI (A2 y. Q7 x%). We show a possible machine 
run for this term, where we label forward and backward steps with the rule they apply or 
unapply, and switching steps with a constant t. For readability, we write only the term 
under focus. 

The machine may first go left and under the A-abstraction. 


L appa 
(O | . . app eee (a OF x2 |. Zapp 


At that point, it may test whether the application is a B-redex. Since it is not the case, it 
backtracks, annotating the variable in function position. 


(a @F 22 |. app PE (ar |. jam > PEB, alba a2 22 |... app 


From there, it necessarily tests the other possibilities appL and appR (in no predefined order), 
and fails in both cases. 


appL + —appL appR + —appR 
Ca! GS gó |. app CPP PRE, SPP, T, ZPR, (Pla) QL app | Npp 


Then it can only backtrack to reconstruct the A-abstraction on the left, and then the whole 
term. 


(ar teppilam} @ pp m Sapp QS C 8PPA, (AB a a {apPslam} @app app E ape 


kai <(A2PP a; az PP. lam) Q2PPyapP) QE (AE A QF 2) |.. Dus 


'The machine can then look for a redex in the A-abstraction on the right, and it would result 
in the same annotations as for the one on the left, not necessarily generated in the same order. 
It can also rightfully recognize the term as a 6-redex, with the sequence ERR. EE, the 
last step performing the reduction. After the reduction, we should also erase the remaining 
annotations. If we do not erase them, the result of the reduction would be 


(A al @F 2%) ater} (AE A AŽ r2) |.. uus 


and the app annotation would wrongfully signal the term as a normal-form, preventing it 
from being reduced. Erasing all the remaining annotations ensures the machine finds the next 
redex, but a finer, language-specific analysis would erase only the problematic annotations. 
We leave such an optimization as a future work. E 


Formal definition. We let a range over annotations, 3 over annotation sets, and denote 
the empty set by @. We extend the A-calculus syntax as follows: 


a :— app | lam t,su— 27 | at | tQ”s 


We write an(t) for the annotation set at the root of t, e.g., an(t Q7 s) 2. We write (on for 
its extension with a so that an(£**) = an(t) u {a}. We write |t| for the erasure of t, where 
all the annotation sets in t are made empty. 

The syntax of contexts uses annotated terms, and plugging returns an annotated term 


where the annotation sets of the context operators are empty: e.g., (Az :: E)[t] & [AF xt]. 
Plugging is used only after a reduction step, where all the annotation sets are erased anyway. 


We let p range over rule names and m over rule stacks, defined as m ::= init | (p, 32) :: m. 


The definition of the machine for the A-calculus is given in Figure 2. 
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(bas > (ti init | ©)app 


<t @™ sim | Bian — (t: (appL, ©) :: |Qs:: E)app if app ¢ an(t) 
(t @™ s;7|E)app > (s; (appR, Z) :: 7 |t Q:: E)app if app ¢ an(s) 
(£ @™ s i7 | Ban — (t: (appB, X) :: 7 | s, Ban if lam ¢ an(t) 
QE s.t im | Ejapp — (t: (appa, X) :: r | Az :: Eyapp if app ¢ an(t) 
cir [E cont" Es otherwise 


(init: | e)bapp > (nf 
((appL, X) ::m;t|Q s :: E)papp > (t QU si | E)app 
((appR, Z) :: mis |t @ :: Edbapp — (t£ Q? s; m | E)zpp 

((appB, Z) :: mit | s, Eblam > (£Q” s; m | EJapp 
((appA, X) :: m it | Az :: E)bapp > A a.t i | E)app 


(PEs.tim|5,Eyam  (E[t(s/z)]l 


(im |s,IEyam > CT; quem | s, biam otherwise 


B Figure 2 Non-Deterministic Abstract Machine for the A-calculus 


A forward configuration (t;7 |l» (with m € {app,lam}) discriminates on (the root 
operator of) t to apply a rule of the zipper semantics. For an inductive rule, it results in 
a change of focus and an extension of the stack, on which we record the applied rule and 
the annotation set of the root operator. Taking such a step is possible only if the new term 
under focus is not a normal form. A special case of forward step is the initial one from (t), 
which does not have a side-condition, as we assume the annotation sets of t to be empty. 


The 8-reduction happens in the first transition of the lam mode. Backtracking is no 
longer necessary so we drop the stack. We reconstruct the entire term, and switch to the 
initial mode to search for a new redex starting from the root of the new term. We erase all 
annotations, as they may no longer be valid, as illustrated by Example 2. 


If a forward configuration cannot apply a rule, we switch to the corresponding backward 
mode, annotating t in the process: these are the two “otherwise” steps. A backward 
configuration (q;t | Ebm inspects the stack m to unapply the rule at its top. While a 
backward step restores the configuration of the corresponding forward step, the term contains 
more annotations after a backward step than before taking the forward step: in (7:t|E)pm, 
we have m € an(t) by construction. The annotations prevent the machine from reapplying a 
rule it just unapplied. The normal form mode (tyn; signals that the term cannot reduce. 


A machine run starts with an initial configuration (t»4, where all the annotation sets of t 
are empty. The semantics of the machine is given by these configurations: if (zs =+ (ta 
such that the sequence >" does not go through another initial configuration, then t —,, t. 
Similarly, if (4 —* (t^, then [t| = t and t is a normal form. We state the correspondence 


and termination theorems independently from the source zipper semantics in Section 4. 
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init parL parOutL parOutR 
D IQ:E ° LE, ..R.E,P 
P pa P' P —À par P’ P E P’ Q oic P" 
S —————— “i 
/ E E E 
P>. P P|Q + D P| Q + P’ P| Q par P 
outParL outln inParL 
:F,S,E,R e,S,a,P,E,F ::G,S,a,P,E,F 
p, — a poe m2, 
S S 
F,S,E,R Z F,S,E,R G,S,a,P,E,F 
P || Q our P' a( P» au P" R| Q =, P 
inComL 
b=a 


(s) 


b(X).R E5877, E[F[0] | G[R(P/X]]] 


B Figure 3 Output-first Zipper Semantics for HOcore 


“34 HOcore 


We consider a minimal process calculus called HOcore [30], which can be seen as an extension 
of the A-calculus with parallel composition. 


3.1 Syntax and Semantics 


We let a, b range over channel names, X, Y over process variables, and we define the syntax 
of processes as follows. 


P,Q,R:=X |0 | P[Q| a(X).P | &P) 


The process 0 is the inactive process, P || Q runs P and Q in parallel, and a communication 
may happen between an input a(X).P and an output a(Q) that run in parallel. The 
communication is asynchronous because a message output does not have a continuation [42]; 
we discuss the synchronous case in Remark 3. In spite of its minimal number of constructors, 
HOcore is Turing-complete [30]. 

'The semantics of process calculi is usually presented either with a structural congruence 
relation which reorders terms to make redexes appear, bringing input and output processes 
together, or with a labeled transition system which preserves the structure of the term [42]. 
Instead, we present it first as a reduction semantics with explicit contexts, as in Section 2.1, 
which makes it easier to come up with (or translate into) the corresponding zipper semantics. 

We define frames as $ ::= || P | P || and plugging as follows. 


A 


dn Zr (IQ:E)[P]*E[P|Q]  (Ql=E)[P]*EJQ|.P] 


A redex is a parallel composition with an input on one side and an output on the same 
name on the other side, both surrounded with contexts. The general formulation of such 
communication sites in a program can be expressed with the following reduction semantics, 
where we write P{Q/X} for the capture-avoiding substitution of X by Q in P: 


:[F[a(Q)] || Gla(X).P]] >, E[F[0] || G[P{Q/X}]] 


[G[a(X).P] || F[aQ)]| >» E[G[P(Q/X] ||F[0]] 
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3.2 Zipper Semantics 


Finding an HOcore redex requires us to recognize three constructs (parallel composition 
along with output and input on a shared name) and build the contexts E, F, and G. The first 
step is to find the parallel composition; once the communicating processes P || Q are found, 
the communication rules of typical LTSs for process calculi [30,41,42] have two premises 
looking for the output and the input in P and Q respectively. To be closer to an abstract 
machine, we sequentialize the search by looking for the output first (while constructing F) 
and then the input (with G)—the opposite choice would produce a completely symmetric 
semantics. Figure 3 presents such an output-first zipper semantics, where we omit the 
symmetric versions of the rules marked with the symbol (s). The resulting semantics is close 
to complementary semantics [31], where the communication is also sequentialized. 


The transition > is looking for the parallel composition while building E: it proceeds 


aS —app in the A-calculus. Once we find the parallel composition, we look for the output 
either on the left or on the right with respectively rules parOutL and parOutR. We record 
the side we pick with a parameter S ::= £L | R. For example, in rule parOutL, we look for 
an output in P on the left (C), remembering that we should later search for a corresponding 
input in Q. We also initialize the context F surrounding the output with e and remember IE 


as the context enclosing the whole redex. 


qoo F,S,E,R f iras : 
The transition ————,,; decomposes its source process to find an output, building 


at the same time: the other parameters S, E, and R remain unchanged during the search. 


When we find the output a(P) (rule outln), we look for a corresponding input in R using 
G,S,a,P,E,F 


in, Which builds the context G during the search. Once we find an input on a, we 
compute the result of the communication, which depends whether the output is on the left 
(rule inComL) or on the right (omitted rule inComR). 

We prove the correspondence between the two semantics in Appendix B. 


» Remark 3 (Synchronous communication). For a synchronous calculus with an output a(P)Q, 
the rule outln would pass the continuation Q as an argument of the input transition in. The 
continuation Q would then be plugged into F in the axioms inComL and inComR. 


» Remark 4 (Left-first search). After finding the communicating processes P || Q, we could 
always go left (in P). When we find an output or input in P, we look for its complement 
in Q. A right-first search is also possible. We present the left-first zipper semantics and its 
machine in Appendix B; such an approach does not scale to HOr, as explained in Remark 22. 


3.3 Non-Deterministic Abstract Machine 


We derive the HOcore NDAM from its zipper semantics along the same principles as for the 
A-calculus: each rule of the semantics corresponds to a forward step and a backward step, 
and when no forward step applies to a configuration, we switch to a backward configuration. 
The difference is in the normal-form annotations: in À-calculus, to be a normal form w.r.t. 


Seis dE on does not depend on the arguments s and E. In HOcore, being a normal form 
depends on some of the arguments in the input and output transitions. 


For example, in a process (a(0) || (05) || Q, we may look into Q for an input on a or on b. 
If Q does not contain an input on a, then annotating it with the mode in would prevent from 
searching in Q for an input on b. We therefore include the name in the annotation, marking 
the root operator of Q with (in, a), meaning that Q cannot do an input on a. If it also cannot 


do an input on b, then its root operator will be annotated with both (in, a) and (in, 5). 
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(P)zs > (Ps init | ejoa. 


(P j” Q;qT|E)par > <P; (parL, £) :: | || Q:: pa. if par ¢ an( P) 
(P ||" Q; T |Epar > (P; (parOutL, )::r|e, L, E, Oo if (out, |Q|) ¢ an(P) 
CP ||” Q; | E)par > <Q; (parOutR, X) :: n |°, R, E, Phout — if (out, |P|) ¢ an(Q) 


(Pim | E)par > Gm; PYP | E)bpar otherwise 


(init QP | © )bpar > Pa 
((parL, Z) ::7 ; P| || Q:: Epppar > (PF Qi D oar 


(P [T Q;n|F, S, E, Ron > {P;(outParL,Z)::7|||Q::F,S,E, Rou if (out, |R|) € an(P) 
(a XP); r |F, S, E, Ryon > (R; (outln, X) :: m | e,S,a, P, E, Fin if (in, a) ¢ an(R) 
(P;r|F,S,E, Ryon > (r; POŚR) | F, S, E, Rypout otherwise 


((parOutL, X) ::7; P | e, L, E, Qua > CP |F Qi | E par 
((parOutR, X) :: m; Q|e, R, E, Diren > (P ||? Qi T | E)par 
((outParL, ©) :: 5; P | | Q:: F, S, E, sou > (P|PQ;r| "SIE, Ryout 


CRI? Q:v|G,S,a, P, 2, Fy, > (R; (inParL, ©) :: r ||| Q ::G, S,a, P,E, Fo if (in, a) ¢ an(R) 


(QU (X).R:m|G, £, a, P, E, Fin — (E[F[0] | GERCP/X]]Das ifa=b 
(b= (X).Rit|G,R, a, P, E, On > ([E[GLR(P/ X)] || ELO] Dzs ifa=b 
(R;n|G,S,a,P,E,Fy, — (r; RY“ | G, S, a, P, E, Fin otherwise 


((outln, X) :: m; R| e, S, a, P, E, Re > (a (Py iv |F, S, E, Ry out 
((inParL, X) :: r; R| || Q:: G, S, a, P,E, Fin > (RF Qi v |G, S, a, P, E, Pin 


B Figure 4 Non-Deterministic Abstract Machine for HOcore 


With outputs the problem is similar, but not completely symmetric. Let P; = a(0) || (0), 
and consider a process (Pa || Q) || R. We may try to find a communication between P4, and 


Q first. If Q does not contain an input on a or b, then P}, is a normal form w.r.t. the output 
e L, | R::e Q 


search transition out, but a communication between Pa,» and R is still possible. 
As a result, we annotate the root operator of P, with (out, Q), meaning that the outputs of 


Pa,» are not complemented by the inputs in Q. Such an annotation does not prevent trying 
e F ad ::e, Le R 

to make P, and R communicate, which would correspond to the transition LZ. x 

As before, © ranges over annotation sets, and |P| is the erasure of P, the annotated 


process with empty annotation sets. The syntax of annotations and processes is as follows. 
a ::= par | (out,|P|) | (ina) P,Q,R:= X? | 0? | P|FQ | a®(X).P | TP) 


Substitution and plugging are extended to annotated processes as expected. The definition 
of the machine is given in Figure 4. The process P in an annotation (out, |P|)—as in the side 
conditions in the par-transitions—is erased, because normal forms are defined with respect 
to the zipper semantics transitions, where processes are not annotated. Apart from richer 


annotations, the definition of the machine follows the principles of Section 2.3. Note that the 
RR n° 9475 


12 Biernacka, Biernacki, Lenglet 6 Schmitt 


<otherwise” step for the input mode includes the operators that are not parsed in that mode, 
but also the inputs on a name distinct from a. 


‘4 Derivation of the Abstract Machine 


We show how to derive an abstract machine from a zipper semantics under some conditions. 
To this end, we specify zipper semantics as a transition system [21], a framework used to 
describe rule formats. 


4.1 Zipper Semantics as a Transition System 


Given an entity e, we write € for a possibly empty sequence (e;,...,e,) for some n. We 
assume a set 8 of sorts ranged over by s, denoting the entities of the language (contexts, 
names, etc), and which includes the sort t of terms that are reduced. For each sort s, let Os 
be the signature of s, i.e., a set of operators, each having a typing 3 — s. In particular, we 
let op range over the operators of the terms O+. We also assume a set F of auxiliary functions 
that are used to build terms, like term substitution or context plugging, each of type § — t. 

For each s, we assume an infinite set V, of rule variables, denoted by vs, ws, or v, w if the 
sort does not matter. The set €, of rule entities of sort s, ranged over by es, fs (or e, f if we 
ignore the sort), are the entities built out of the signature O, extended with rule variables. 
We define €, inductively so that V, € €,, and for all o € O, of signature (51,...,54) — s and 
(es; € €,,)ie1.. for some n, we have o(es,,...,e.,) € Ès. A special case are term entities ez, 
which can also be built out of auxiliary functions in F. We write rv(e;) for the set of rule 
variables of es; e, is ground if rv(e,) = Ø. 

A rule substitution c is a sort-respecting mapping from rule variables to rule entities. 
It should not be confused with the substitution -{-/-} which may exist for terms and is 
considered an auxiliary function in F. We write vo for the application of o to v, and eo—for 
its extension to rule entities, defined in the expected way. A ground entity e is an instance 
of ed if there exists o such that eo = e. 

Given some rule variables ©, we write P(0) for a decidable predicate on Ù. We assume a 
set M of modes, denoted by m, such that each mode is associated with a sequence 5% giving 
the sorts of its arguments. The set M includes the initial mode zs with no argument. 

A transition is a predicate e; Ew e», where e; and e, are respectively the source and 
the target. We consider only three kinds of rule: inductive (whose names are ranged over 
with p), axiom, and initial, of the following respective shapes. 


€t T Ut P(ù) P(ù) UŁ EN V it 
z P S = — ini 
op(0) m Ut op(v) m €t Ut zs Wt 


We extend the notion of set of rule variables rv and the application of a substitution to 
transitions and rules. 

An inductive rule has only one premise, and may have side-conditions, represented by P, 
on some of the variables W occurring in the rule. The modes m and m’ may be distinct or 
not, and the sequences € and f should be rule entities of sorts respectively s and Sm. The 
sources and targets of the transitions are terms; in the conclusion, the source term is of 
the form op(0), enforcing that a rule can only pattern-match the head operator of the term. 
Both targets should be the same term variable, meaning that an inductive rule is simply 


passing along the result. Computation occurs in axioms, where the target can be any term. 
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B Figure 5 Rules for variants of HOcore 


An initial rule defines the initial mode zs. The source of the conclusion is a variable, so 
an initial rule does not perform any pattern-matching. An initial rule is just a means to 
set up the arguments of another mode m (such that m # zs). A zipper semantics is a triple 
(8, O, R) where R is a finite set of zipper rules with exactly one initial rule. The associated 
semantics on terms is defined by —. 


4.2 Derivable Zipper Semantics 


Not every zipper semantics can be turned into an NDAM. Some conditions have to be 
satisfied for the transformation to be possible and to ensure termination. 

The first one is that the rules of the semantics must be constructive w.r.t. the machine, 
meaning that the entities in its premise are constructed from the ones in the conclusion. 
Indeed, the abstract machine searches for redexes with forward steps by going from the 
conclusion to the premise of a rule. As a result, a rule like toy in Figure 5 cannot be turned 
into a machine step, as the machine would have to guess the name a. We forbid such a rule 
by requiring that in each inductive rule of the zipper semantics, the rule variables of the 
premise are included in the rule variables of the conclusion. 


j E 
€; Sm Ve PÙ z Z 
+ Definition 5. ——— = i, is machine constructive if rv(ei ER u di € rv(op(v) m). 
op(0) ^q vi 


The other constraint is that the rules must be reversible to allow for backtracking: it 
should be possible to reconstruct the entities in the conclusion from the ones in the premise. 
We say a rule is reversible if it cannot have two different instances with the same premise. 
For example, we could make the input search in HOcore less verbose, by combining the 
contexts E and F in a single context, like in the rule outlnL in Figure 5. In E[R || F[0]], the 
input process is plugged into the context || F[0] :: E, that we build in rule outlnL, instead 


of keeping E and F separate as in Figure 3. However, to unapply the rule outlnL, we need 


to uniquely decompose a context as || F[0] :: E, which is not possible as soon as there are 


several occurrences of 0 in F[0]: the rule outlnL is not reversible. We give a simple sufficient 
criterion for a rule to be reversible. 


f E 
€; >w V P(w z 
> Lemma 6. "` = (8) is reversible if we have rv(op(¥) Sm) € rv(e; EE and 
op(0) >m vt 


the auxiliary functions used to build the entities in e, and f are injective. 


The first condition states that the rules variables of the conclusion have to be included in 
those of the premise. Indeed, if we forget an entity between the conclusion and the premise, 
like Q in the rule for choice choiceBad in Figure 5, then we have no information to restore Q 
when backtracking. Instead, it should be kept in an extra argument of the zipper semantics, 


like the stack @ in the rule choiceOk in Figure 5. The stack @ is useful only for backtracking 
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and not to define the semantics of the language, as it is simply thrown away when we apply 
an axiom. Any rule forgetting entities between its conclusion and premise can be made 
reversible using this principle [38]. 

Finally, we want the machine to always terminate when searching for a redex. Consider 
for instance the rec rule for a recursion operator in Figure 5. The corresponding machine 
would infinitely loop with uX.X. Indeed, the forward step of this rule changes focus from 
the source of the conclusion to the source of the premise, but these two terms are equal when 
P — X. To avoid this, we require the zipper semantics to be well-founded. 


> Definition 7. A zipper semantics is well-founded if there exists a well-founded size ¢ such 
es ~ 
€, m V P(w F z 
that for all inductive rules ——— z ) we have Ć(e; EE v) < Clet m ve). 
Et m Ut 


In the calculi of this paper, each rule either focuses on a subterm or it changes mode 
(like in rule outln in HOcore). We therefore define an ordering on modes such that m > m’ 
if the derivation of m depends on m'; e.g., we have zs > app > lam in À-calculus, and 
zs > par > out > in in HOcore and HOr. The size we consider is then the lexicographic 
ordering composed of the ordering on modes followed by the subterm ordering on the source 
term of the transition. This size works as long as we have no cyclic dependencies in modes 
and only congruence rules within each mode. It rules out unconstrained recursion, but we 
can still adapt it for guarded recursion, where the recursion variable occurs only after an 
input, as in uX.a(Y).(X | Y). In the premise of the rec rule, the u operator itself becomes 
guarded, so the number of recursion operators at toplevel strictly decreases. 

The semantics of Figures 1, 3, and 9 are machine constructive well-founded, and revers- 
ible (they satisfy Lemma 6). Henceforth, we assume the zipper semantics to be machine 
constructive, reversible, and well-founded. 


4.3 Machine Derivation 


Annotations. The machine annotates terms which cannot do certain transitions, to forbid 
repeated tries which would lead to an infinite loop. The arguments of the transition may 


play a role in whether the term is a normal form or not: in HOcore an output a(P) is a 
F,S,E,R 


out if R cannot receive the message on a, so 
G,S,a,E,F 


normal form w.r.t. the output transition 


the annotation is (out, |R|). Similarly an input in depends on the name a. 

The arguments kept in the annotation are the ones either taking part in the reduction, 
like R in the output case, or in side-conditions, like a in the input case. Given a mode m 
with arguments €, its annotation ¢(m, è) is defined as (m, f) where f © @ are the arguments 
occurring either in side-conditions or source terms of the rules defining m. Repeating this for 
each mode of a zipper semantics, we define the annotation function © of the semantics. 


Annotated terms. Let (8,0,R) be a zipper semantics with annotation function ¢. We 
extend & with the sort of annotation sets sy, for which we assume the usual operators on 
sets. The machine is built on a signature A which replaces the signature for terms O, with 
annotated terms, so that for all op € O4 of type (s1,...,54) — t for some n, we have a 
corresponding operator op € A, of type (Sy, $1,..., Sn) + t. 

We let a range over annotated terms {;, built out of A, V,, and a single rule variable for 
annotation sets vy: one variable is enough, as at most one annotation set occurs in a given 
machine step. Given an annotated term a = op(es,e), we write an(a) for its annotation 


set ex. Given a term e; € &;, its annotated version, written ||e;||, is inductively defined so 
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€t we S (à) p . if im, p d zntle |) el PČ) 
op(?) Sm v, (p, vx) :: m; [le | om  Cop(vx, 9) ; r | £m 
Ut Se We. (Ut Des EE (Ur ; init | Ps 
= init init; ve | fybm > 04 Det 
P(w) 


a <op(vs,%);r|Em > [led Das if P(®) 


P Figure 6 Forward and backward steps generated from a zipper semantics rule 


that ||v;|| = vs and ||op(e)|| = op(vs, e]. Given an annotated term a € e, its erasure |a| 
produces a term with empty annotation sets, inductively defined so that |v,| = v, and 


lop(es, à)| = op(Ø, (el). 


Machine steps. The syntax of rule stacks 7 is given by m ::= init | (p,Z)::7. We denote 
configurations (a;7|@)m as forward, a special case being initial ones laz. Backward 
configurations are of the form (r; a | ©>pm with normal-form ones <a), as a subcase. 

Figure 6 presents the forward and backward steps generated from an inductive rule p, 
an initial rule init, and an axiom. The forward step for an inductive rule goes from the 
conclusion to the premise, while the backward step goes in the opposite direction. Terms are 
extended with the rule variable for annotated sets vy. The initial rule case is the same as the 
inductive one but simpler, as there is no side-condition: the annotated sets of the term v, in 
(vizs are assumed to be empty. We can see that the annotations are erased after applying 
an axiom, as we end up with (| ||ez|| |>zs. There is no backward step associated to axioms. 

What remains are the switching steps when we realize that the current mode m does 
not apply to the term op(vx, 7) we reduce. These are the “otherwise” steps in Figures 2 
and 4, which actually cover different cases. The first possibility is that op does not have a 
rule applying to it in the mode m. For such cases, we add a step 


(opus, Ù) im | ym > <T; op(vx; u (ó(m,2)),0) | om 


When going to a backward configuration, we extend the annotation set of the operator with 
the current annotation. 


ei EN Ut P;(w) 


The other case is that no rule pi for op in the mode m applies, 


oni) Ze ui 
because either the premise or the side condition do not hold. If the machine has already 
checked that the premise fails, then eż has been annotated with ó(m;, RE 'The corresponding 
switching step is therefore 


Cop (vs, 9) i [Em — Gri oplus o {6(m,8)}, 9) Bom if A (émis À) € an(leil) v pel 


Equivalence. The equivalence between the zipper semantics and its derived NDAM is 
proved in Appendix D; we state here the main results. We let T' (resp. A) range over 


(resp. annotated) ground terms. For all T, we write III for the corresponding annotated 
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term with empty annotations sets. For all A, we write |A| for A where all annotations sets 
are made empty; there exists an unique T such that |A| = ||[T||7. We call a search path a 
sequence of machine steps >* which does not go through an initial configuration. Search 
paths are finite, and result either in an initial or a normal-form configuration. 


> Theorem 8. For all T, there exists n such that any search path starting from <\|T\|2 zs 
is of size at most n. For all maximal search paths <\|T||2 2s >* c, either c = CT" ||P)zs for 
some T', or c= (Ayr for some A with |A| = ||T||2.. 


We write H T —,, T’ when there exists a zipper semantics derivation ended with T —,, T". 
Search paths correspond to derivations in the following way. 


> Theorem 9. For all T, T', and A, 
= | T —,, 7" iff there exists a search path (TI za —* <[T" ||P 2s; 
= T is a normal form iff there exists a search path (|T||9)z5 >* (Ay with |A| = ||T||%. 


EE Related Work 


The zipper semantics of the process calculi are inspired by complementary semantics [31], 
a format dedicated to bisimulation proofs. In both semantics, the derivation tree of two 
communicating processes is sequentialized. The difference is in the transition labels, which 
should be as minimal as possible in complementary semantics to keep the bisimulation proofs 
simple, while ours are detailed enough to be able to reconstruct the whole term. 

Typical abstract machines for deterministic languages based on the A-calculus are in 
refocused form [10]; such machines continue term decomposition from the contraction site. 
They have been shown to be uniformly derivable from the underlying reduction semantics 
by a refocusing method [6,43], and the correctness of the derivation hinges on the unique 
decomposition property. NDAMs do not have this property, and after contracting a redex they 
completely reconstruct the term. An optimization similar to refocusing for non-deterministic 
languages appears more challenging in general. Another common feature of abstract machines 
for the A-calculus is an efficient implementation of substitution with environments [7]. The 
use of environments is orthogonal to the derivation of NDAMs: if the source zipper semantics 
uses environments, then so does its derived NDAM. We consider substitution-based zipper 
semantics in this paper because they are simpler than environment-based ones. 

Process algebras have been implemented in various frameworks ranging from rewriting 
logic [44] to biological systems [34], including dedicated implementations and abstract 
machines [4, 15, 17-20, 23, 33, 36, 37, 45]. These implementations are ad-hoc and calculus- 
specific, and only some of them are complete [4, 18, 20, 23,36,37]. We believe we can handle 
most of these calculi in our framework in a uniform and complete way. However, the resulting 
implementation would be “single-threaded”, while the distribution of processes is a concern of 
previous machines [18], especially for calculi with localities [4, 19, 20, 23,37]. Considering the 
many different models of distribution, making our machine distributed requires significantly 
more work, especially if we want to remain generic and complete. 

Our use of backtracking evokes reversible calculi [8,46], where one can revert communica- 
tion steps, not necessarily in the order they were taken, as long as the causality between 
them is preserved. The concerns are different, though: in reversible calculi it is to keep 
enough information to track causality [29,38], while here it is to control backtracking to 
avoid infinite searches. As a result, we store less information in machine configurations, but 


the annotations we use to prevent loops would not be typically needed in the other setting. 
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‘6 Conclusion 


We present a generic design of abstract machines for non-deterministic languages. The 
machine looks for a redex in the term, making arbitrary choices when several paths are 
possible, and backtracks when it reaches a subterm which cannot reduce. The machine 
annotates such subterms to avoid trying them again, preventing infinite search. An NDAM 
is automatically derived from zipper semantics, a form of SOS in which the decomposition 
process of a term into a context and a redex is made explicit. The machine is sound and 
complete w.r.t. the zipper semantics. The derivation procedure has been implemented in 
OCaml [5]. The presented methodology is readily applicable to other non-deterministic 
calculi not shown in this paper, such as concurrent lambda calculi, with communication via 
channels or via futures [3, 16,35]. 

An improvement of the current design would be to keep as many annotations as possible 
after reducing, in order to prune redundant search. Another optimization would be to find a 
way to manage annotations that would generically enable refocusing. 

Finally, we would like to derive the zipper semantics from a more commonly used format, 
such as reduction semantics or SOS. An appropriate starting point should be able to express 
the different families of non-deterministic languages, such as concurrent A-calculi or process 
calculi. A multi-hole context-based reduction semantics could be such a starting point. 
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"A Lambda-calculus 


We prove the correspondence between the zipper and reduction semantics. 


> Lemma 10. For all t Siam H. we have LÉ Q s] >; t". 


For all t app t', we have Eft] —,s H. 


Proof. The first item is by definition, and the second one is proved by induction on the 
derivation of t Zn t. The base case is app, where we conclude using the first item. 


For the recursive case, suppose we apply appL: we have t à s hg H because t E Um t. 
By induction, we have (Q s:: E)[t] >s t’, i.e., E[t@ s] —,, t; as wished. The other cases are 
similar. < 


> Theorem 11. For all t 54 t, we have t >r t. 


For completeness, we want to prove that IE[(Az.t") a s] >, E[t"(s/z]] implies E[(Az.t") @ s] > 2. 
i[t” (s/z)]. First, we notice that A A L^ i[t” (s/z:]] holds by definition of BE s With 
appb, we get (Az.t") à s E a(t” (s/r)]. To conclude, we use the following result. 


> Lemma 12. For all t gy H, we have E[t] app t". 


Proof. We proceed by induction on E. There is nothing to prove for e. If E = Az: E’, then 


t a H implies Az.t Ger t' by app, from which we deduce E/[Az.t] app t' by the 
induction hypothesis , i.e., E[t] ->app t’, as wished. The proof is similar in the remaining 
cases. « 


> Theorem 13. For all t >, t, we have t >z t. 


EB HOcore 


The output-first zipper semantics is equivalent to reduction semantics in the following way. 


Go, P,E,F 
————— 


> Lemma 14. For all R in À’, there exists R” such that either R" = E[F[0] || GLR"(P/X)]] 
if S = L or R' = EIG[R"(P/X)] || F[0]] if S = R. 
For all p ESEE out P', we have either E[F[P] | R] >s P' if S = £ or E[R | F[P]] >s 
P'ifS=R. 
For all P pa, P', we have E[P] >s P’. 


Each result is proved by induction on the zipper derivation. 
> Theorem 15. For all P —4 P', we have P —4 DI. 


The reverse implication relies on the following results about contexts in zipper semantics. 


> Lemma 16. For all R ÈSSE p we have G[R] LEE, gr 
For all P > out P’, we have F[P] PR out P. 


For all P on P', we have E[P] par P'. 
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init parL parCom 
P > par I P im P (s) P MES eft P 
/ E 
P >z; P P | Q Spar P’ P || Q Spar P 
leftParL leftOut leftln 
P || Q::F,E,R "n p' i R e a, P, E, F " P R e,a,X,P,E,F - D 
E - 
F,E,R = FER F,E,R 
P||Q —> iett P' a(P) er P' a(X).P Re D 
inParL 
R | Q :: G,a,P,EJF p' inCom 
s) 
G,a,P,E,F G,a,P,E,F ~ 
R|| 0 =n P a(X).R in E[F[0] | GLR{P/X}]] 
outParL 
R || Q:: G,a,X,P,E,F . p' outCom 
s) 
G,a,X,P,E,F = G,a,X,P,E,F 4 
R| Q—————>ou P a(R) out E[F[P{R/X}] || G[0]] 


B Figure 7 Left-first Zipper Semantics for HOcore 


Suppose R >, R' with R = E[F[a(Q)| | G[a(X).P]|; the proof is similar in the sym- 
G,£,a,Q,E,F 


in R’, and by the first item of Lemma 16, we 
F,C,E,G[a(X).P] 


metric case. We have a(X).P 
deduce G[a(X).P] Sent, R. We get a(Q» ———————— 5e. R by rule outln, 
i.e., F[@Q)] BLU" JI with the second item. With rule parOutL, we obtain 
F[a(Q»] || G[a(X).P] E par JI. from which we can conclude using the last item. 


> Theorem 17. For all P —,, P', we have P —,, DI. 
The left-first semantics for HOcore is given in Figure 7. The par transition is going through 


the process to find the parallel composition at the root of the communication redex, building 
the context E surrounding the redex at the same time. Finding the parallel composition 


triggers the DERK transition, which looks for an input or an output in the process on the 
left, while building the context F and remembering E and the process on the right R. If we 
G,a,P,E,F 

in (rule leftOut), 
otherwise we look for an output using out (rule leftln). These two transitions 
are building the context G and use the remaining arguments to compute the results of the 
communication (rules inCom and outCom). 


find an output, we look for an input on the same name in R using 
G,a,X,P,E,F 
> 


The corresponding NDAM is in Figure 8, except for the out and bout modes, which are 
symmetric to the in and bin modes. 


"E Hor 


We present the zipper semantics of HOT, an extension of HOcore with name restriction. The 
main difficulty is that the evaluation contexts surrounding the communicating processes can 
be themselves modified by the reduction. 
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(P75 o GP 5 init | e 
(P |? Qim|E)par > (P; (parL, ©) :: r | || Q:: E)par if par ¢ an(P) 
(PI Qir] Dar > (Qi (parR, X) :: | P || :: E)par if par ¢ an(Q) 
(P | Qin | Ear > (Pi (parCom, £) :: r | e, E, Oe — if (left, |Q|) ¢ an(P) 
£P UR | )par [o (n , PTE | D bpar otherwise 
(init P | e bpar > (Py 
<(parL, >) ST P| | Q: D bpar = (P I? Q; 7| par 
((parR, Z) :: 5 Q | P || :: Liter > (P lig Q;r| ©) par 
(P la Qin |E, E, Ren > (P; (leftParL, 3) :: 7 | |Q: F, E, Ret if (left, |R|) ¢ an(P) 
(P |? Q;r|F,E, Ren > (Q:(leftParR £) ::r|P||::F,E, Ren if (left, |R|) € an(Q) 
(a XP); r |F, E, Rygę > (R; (leftOut, X) :: r | e, a, P, E, FYin if (in, a) ¢ an(R) 
(a*”(X).P;r|F,E, Rye > (R; (leftln, Z) ::r|e,a,F,E, X, Po if (out, a) ¢ an(R) 
(P in |F, E, Rye > (n; PU) |F,E, Rue otherwise 
((parCom, >) um; P | e, E, Open p [P a Q VT | par 
((leftParL, ©) :: r; P | | Q::F,E, Bogen > (P ||? Qi 7 | E, E, Ret 
((leftParR, ©) :: x; Q| P || : F, E, Bogen > CP |? Qi « | E, E, Rye 


RI Qin|G,a, P,E, 


(R|? Qiv|G,a, P, D. 


(a? (X).R;m|G,a, P, E, 


Din > (| 


(Rim|G,a, P,E, 


((leftOut, ©) :: r; R| e, a, P, E, 
((inParL, 3) ::r;R||Q: 
((inParR, 3) ::r;Q|R||: 


B Figure 8 Left-first NDAM 
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Pus "eS (r; RU) | 


:G,a, P, E, 
:G,a, P, E, 


for HOcore 


Pin FS (R; (inParL, ©) Z | | Q U G, a, P, ^, I 
Din > (Q3(inParR, ©) :: r | R || ::G,a, P,IE 
(lol || GLRCP/ X3]]Das 


G, a, P, IE, IF 


bin > (AXP); r |F, 
Doin > (R|? Qi |G, a, PRP 
Doin > (R|? Qi |G, a, PE 


d 
Ke 
= 


otherwise 


"pn 


2, ien 


Ka 
= 


Tin 
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C.1 Syntax and Semantics 


We add name restriction to HOcore processes and frames. 
P,Q,R::=... | va.P S u-—...| va 


To remain close to HOcore, the calculus of this section is asynchronous: outputs a(P) do not 
have a continuation, unlike the original HO [41], Adding continuations would not be an 
issue as pointed out in Remark 3. 

'The scope of a in va.P is restricted to P, so that a communication on a is possible inside 
P only. For instance, the process a(X).X || va.a(0» cannot reduce, because the name a is 
restricted to the process on the right. In general, a process E[a(P)] or E[a(.X).P] cannot 
communicate on a if E captures a. To check this, we compute the set of names bound by E, 
written bn(E), as follows. 


jâ 


bn(e) = Ø bn(|| P :: E) = bn(E) 
bn(va:: E) 2 {a} U bn(E) bn(P ||:: E) Ê bn(E) 


Name restriction does not forbid the communication on unrestricted names, but the scope 
of restricted names has to be enlarged to prevent them from escaping their delimiter. For 
example, we have 


B(X).(X || X0)) || va.(Ka(Y).Y) || G(0)) >s 
va.(a(Y).Y || «0) || 0 || a(07) 


The scope of a has been extended to include the receiving process on b. This phenomenon 
is known as scope extrusion. To reflect it at the level of contexts, we define an operation 


extr(E) which returns a pair of contexts (E1, E2) such that E2 contains the binding frames, 


while E; contains the remaining frames. We assume free names to be distinct from bound 
names using a-conversion if necessary, to avoid capture during extrusion. 


extr(E) = (E1, E2) extr(E) = (E1, E2) 
| P: i1, 12) 


extr(e) È (e, e) 


extr(va :: E) & (E1, va :: E2) extr(|| P :: IE) 


extr(E) = (E,, E2) 
extr(P | :: E) Ê (P | : E1, E2) 


We define the reduction semantics —,s of HO as follows, assuming a € bn(F) v bn(G) and 
extr(F) = (Fi, Fo). 


[Fa Q)] || Gla(X).P]] —>rs E[F2[F: [0] || G[P{Q/X}]]] 
j[G[a (X) P] || F[KQ)]] >: E[F2[GLP (Q/ X 3] || Fs [0]]] 


C.2 Zipper Semantics and NDAM 


We present the zipper semantics of HO in Figure 9. The out and in transitions differ from 
HOcore as they carry two contexts F; and Fo: as in the reduction semantics, F, collects the 
parallel compositions (rules outParL and outParR) while IF collects the name restrictions 
(rule outNu). 

Checking that the name a on which the communication happens is not captured by Fa or 


G is not done the same way in the out and in transitions, because the transitions themselves 
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init parNu parL parOutL 
SE QE SS. CJE, 
P par P' p gą P’ n Tu pre t 
| E 
/ E / E / / 
P >z P va.P pa P P| Srl P|Q-—g P 
parOutR 
e,o REP / 
Q out P 
E 
P || Q par P' 
outParL outNu 
|| Q::F1,Fo,S,E,R / F;,vb :: Fo,S,E,R / 
Pour P P out P 
S 
F, Fo,S,E,R / Fi ,Fo,S,E,R / 
P | Q = Ub P vb.P ZSZ = OE P 
outln 
*.S.a,P,E,F, „F. 
R SSN, P a € bn(F2) 
= F1,F2,S,E, R 
a PY R gut P 
inParL inNu 
R I Q:: G,S,a, P,E,F1 „Fa P R vb::G,S,a,P,E,Fy „Fa P eek 
In in 
s) 
G,S,a,P,E,F, „F G,S,a,P,E,Fi ,F2 
R|Q IZ P vb.R ee P 
inComL 
a=b 


(X). R LELER, gre tef] || G[R(P/X]]]] 


B Figure 9 Zipper Semantics for HOT 


are not completely symmetric. In the input transition, we already know the name a, so we 
simply verify that the names bound by G differ from a on the fły in rule inNu. We cannot do 
the same in rule outNu, because we do yet not know a at this point. We know a when we 
find the output (rule outln), so we check here that Ra does not capture it. 

We first prove that zipper semantics implies reduction semantics. 


» Lemma 18. For all transitions R SSS BPP in R/, there exists R" such that R! = 


[Fi [0] || G[R"(P/X)]]] if S = £ and R' = E[F2[G[R"{P/X}] | Fi[0]]] if S = R. 

For all transitions P "BER. P' and F such that extr(F) = (F1,F2), we have 
[F[P] | R] >, P' if S = £ and E[R||F[P]] >, P ifS=R. 

For all P ur DI. we have E[P] >, P'. 


Ga 
= 


Proof. We sketch the proof of the second item, the others are easy. The proof is by induction 
on the derivation of the out transition. We assume S = £, the case S = R is similar. In 


the base case (rule outln), we have P = a(P"5 and R ARE, 
P'=E[F2[F;, [0] | G[R"{P"/X}]]] for some R” by the first item. 
Suppose we are in the case of rule outNu, and let F such that extr(F) = (F1, F2). Then P = 


F1,va.Fo,S, 
vaP” and Di ee“ 


in P’, which implies 


ESI. By induction, for all F’ such that extr(F’) = (Fi, va :: Fə), 
we have E[F'[P"]| R] >, P'. But since extr(F) = (F,,F2), we have extr(va::F) = 


(F;,va::F2) by definition, so we can apply the induction hypothesis to obtain E[(va.F)[P"] | R] —% 
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(P)zs > (Ps init | epar 


(PIP Qi | E)par > <P; (parL, ©) :: r | || Q:: E)par if par ¢ an(P) 
CP ||? Q;m|E)par > <Q; (parR, X) :: 7 | P || :: E)par if par ¢ an(Q) 
(Pa. P in |E)par > (P; (parNu, Z) :: m | va :: E)par if par ¢ an(P) 
(P ||? Q;a|E)par — (P; (parOutL, X) :: r | e, e, L, E, Q)out if (out, |Q|, e) € an( P) 
(P || Qi r |E)par > (Qi(parOutR,X):|e,e, R, E, Phout if (out, |P], e) ¢ an(Q) 


(P37 |E)par > <r ; PPY IE otherwise 


(init; P | boa. > CPOne 
(parL, E) sims P| || Q::E)bpar > (PIP Qi | EY 
((parR, E) :: 13 Q | P || Een > CP | Qi | Epa 
((parNu, Z) :: r; P | va :: E ite > (v™a.P 31 | oak 


(P [T Qi m|F1,Fo,S,E, Ryout > <P; (outParL, X) ::7| || Q::Fi,F2,S,E,Ryout if (out, |R|, F2) ¢ an(P) 

(P [T Qi a|F1, F2, S, E, Ria > <Q; (outParR, Z) :: » | P |::F;, Fo, S,E, Ryo if (out, |R|, F2) € an(Q) 

(vPa.P imn ^1, F2, S, E, Rogut > GP; (outNu, X) :: r | Fi, va :: F2, S, E, Ryout if (out, |R|, va.F2) ¢ an(P) 

(a> P); r |F;, F2, S, E, Ryout > (R; (outln, Z) :: |e,S,a, P, E, F1, F2yin if (in, a) € an(R),a € bn(F2) 
(Pin |F1, F2, S, E, Ryo > (x; PUR) | F}, Fo, S, E, RY bout otherwise 


((parOutL, ©) :: r; P | e, e, L, E, Q bout > (P ||? Q; 7 | E)par 

((parOutR, Z) :: m ; Q| e, e, R, E, Phout (P ||” Qi v | E)par 
((outParL, Z) :: r; P | || Q:: F1, F2, S, E, Rypout > (PI Qi x | Fi, F2, S, E, Ryout 
((outParR, Z) :: r; Q | P ||: F1, F2, S, E, Bien > CP ||? Qs m | Fi, Fo, S, Ria 
((outNu, X) :: m; P | F3, va :: F2, S, E, Rypout > (vPa.P im | F4, F2, S, E, RYout 


CRI? Q;z|G,S,a, P,E ain > CR; (inParL, ©) :: ||| Q::G,S,a,P,E,F1,Fa)in if (in, a) 
CRI? Q:r|G,S,a, P, E, F3,IF 25i, > <Q; (inParR, 3) :: | R||::G,S,a,P,E,F;, Fa); if (ina) ¢ an(Q) 
(u*b.R; r G, S,a, P, E, F4, Fo) > CR; (inNu, 3) :: r | vb:: G, S, a, P, E, F1, F2Yin if (in, a) ¢ an(R),b#a 


d 


(P (X).R:m|G, £, a, P, E, F1, Fa), > (E[F2[F:[0] | GLRCP/X3]]] Das ifa=b 
(b*(X).Ri r |G, R, a, P, E, F1, F5 > (E[F2[G[R(P/X]] || Fi(0]]]Das ifa=b 
(Rim |G, S, a, PE, F4, Rain e (m; Ry») |G, S, a, P, E, F1,F2)bin otherwise 


((outln, Z) :: m; R| e,S, a, P, E, F1, F>)pn > (a (Py im | F1, F2, S, E, Ryout 
((inParL, X) :: 7; R| | Q:: G, S, a, P,E,F1,F2)bin > (R|[? Qi v |G, S, a, P, E, F1, Fa), 
((inParR, X) :::Q| R || :G, S, a, P, E, Fi, Fobin > (R||* Qi  |G, S, a, P, E, F4, Bai 

<(inNu, X) :: r; R| vb::G, S, a, P, E, F4, F2)pin > (vb. Riv |G, S, a, P, E, F1, Bai 


B Figure 10 Non-Deterministic Abstract Machine for HOr Inria 
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P'. This is the same as E[F[va.P"] | R] >s DI. but va.P” = P, so we get the expected 
result. The cases of rules outParL and outParR are similar. » 


> Theorem 19. For all P —4 DI. we have P —,, DI. 


'The proof of the reverse implication follows the same strategy as in HOcore, using the 
following result. 


G,S,a,P,E,F1,F2 0,S,a,P,E,F Fo 
s ————ÓÀ 


» Lemma 20. For all R in À’, we have G[R] in Rl. 


For all P SZ Wg P' and F such that extr(F) = (F1,F2), we have F[P] RR out 
P'. 


For all P E, par P', we have E[P] par P'. 


> Theorem 21. For all P >s P', we have P >z DI. 


> Remark 22. The zipper semantics for HO cannot be written in the left-first style (Remark 4) 
because of scope extrusion. After finding the communicating processes P || Q, we search for 
an output or input in P. Because we do not know the operator in advance, we do not know 
if we should decompose the context surrounding it to account for scope extrusion. 


While writing the zipper semantics for HO requires some care, the corresponding NDAM 
is as expected (cf. Figure 10). A difference with HOcore is the side-conditions in the outln 
and inNu rules, which are added to the step. If the side-condition is not met, the *otherwise' 
step applies and we switch to the backward mode bout. The side-condition also makes the 
output mode annotation become (out, |R|, F2): a process a(P» is a normal form w.r.t. output 
if Fo captures a, so being a normal form in this mode depends on F2. 


b 


D Correspondence Results 


We show conditions for the derived machine to be sound and complete w.r.t. the zipper 
semantics. The intuition is that a machine run is well-bracketed, in the sense that backward 
steps undo the rules applied by forward steps in the reverse order. If the machine ends 
up applying an axiom, then we can read from the machine run the derivation tree of the 
corresponding transition in zipper semantics. The proofs of this section and auxiliary lemmas 
can be found in Appendix D. 


D.1 Preliminary Notations 


Let ($, O, R) be a zipper semantics with annotation function ¢. We inductively define that 
a sequence of rules p1,...,pn is a derivation of a statement as follows. Given an axiom 
P(w z 
p= : and a grounding substitution o which satisfies P, we write p H (e; Sm €,)0. 
€t >m €, 


el Zem T() 


Given a (potentially initial) rule pı = = and a grounding substitution o 
€t m Ut 
which satisfies P, we write p1, po, ... Pn + (ei =. elo if po,... Pn + (e; R elo. 


Given a ground statement e; Xe e,, we write F e; ER e, if there exist p1,...Pn such 
that p1,..., Pn H et Zeen €,. To make the distinction between rule entities e, f—used to write 
rules of the zipper semantics or machine steps—and their instances in ground statements, we 


write the latter using capital letters E, F, and in particular we use T for ground terms. Asa 
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result, we write H T n T" for a derivable statements from now on. Similarly, we write A 
for ground annotated terms in machine configurations. 

Given a ground term T, we write ||T||Z for the ground annotated term in which all the 
annotation sets are empty, i.e., III = Illu > Ø}. For all A, there exists an unique 
T such that |A| = ||T'||Z. In statements relating the machine to the zipper semantics, we 
identify |A| and T, writing, e.g., + |A| ŚM 

We let C, F, Z, and B range over respectively all, forward, initial, and backward machine 
configurations. The stepping relation between configurations is written —, and its (reflexive 
and) transitive closures are written respectively >* and +. A search path is a sequence 
C +>+* C' where only C or C’ may be initial configurations. 

An arbitrary configuration may contain annotations inconsistent with a machine run 
(e.g., a A-abstraction annotated with lam). To rule out such configurations, we define validity 
as follows. 


> Definition 23. A configuration C is valid if there exists a ground term T' such that 
(IIT zs >* c. 


A configuration is valid if it derives from an initial configuration with a term with empty 
annotations. We are sure that the annotations and the stack in C then result from the 
machine itself and are well-formed. By construction, the annotation sets of a term in a valid 
initial configuration (Azs are all empty. 


D.2 Annotations 


Consider the HOcore process R || a(P) || a4Q) where R cannot do an input on a. A machine 
run may try first R with an input transition on a with message P, and when it fails to find 
the input, it annotates R with (in, a). The annotation prevents from testing R for an input 
on a with message Q, because we know that the success of the input transition does not 
depend on the message. The annotation contains enough arguments (here a) to know that a 
term is a normal form w.r.t. any transition with these specific arguments, and independently 
from the other arguments (like the message). 

'The next result formalizes the idea that the arguments which are not in the annotation 
do not matter. It says that if two instances o and o' of a transition dn agrees on the 
annotation f c é, then a term is a normal form w.r.t. LL iff it is a normal form w.r.t. 
LN even if o and o” differ on AF. 


~ 


» Lemma 24. Let m be a mode with arguments è, and suppose ¢(m,é) = (m, f). For all 
ground term T and grounding substitutions o, o such that fo = fo! , we have —(T Dan) 
iff —(T >m). 


Proof. We proceed by induction on the metric of the zipper semantics. We remind that the 
annotation contains the arguments which appear either in a side-condition or a premise of a 
rule (cf. Section 4.3). Suppose —(T CARA the proof is the same in the other direction. 

If —(T = because the root operator of T is not parsed in m, then we also have 
A(T Seu] for the same reason. Otherwise, we have rules p; parsing the operator which do 
not apply, either because the side condition or the premise is not satisfied for each of them. 
The side conditions are not satisfied also with o”, because o and o’ agree on the annotation, 


which contains the variables of the side conditions. 
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Let e” be the term at the source of the premise for each p;. We necessarily have do = eo’, 
because the variables of the arguments which occurs in €! are in the annotation, and o and oi 
agree on the annotation. The other variables are from the term T itself, because the rules 
are constructive and reversible. Because eo = eo’, we can apply the induction hypothesis 
on each of the premises, which therefore do not hold with c'. In the end, the rule p; also 


fails with o” and we have —(T S 4 


With this property, we prove that a term in a backward configuration cannot do the 
transition corresponding to the machine state. By construction, the machine adds the 
annotation when switching to a backward configuration, so in the following lemma, we 
necessarily have $(m, E) e an(A). 


> Lemma 25. Let B = (m; A| Eise be a valid configuration. We have —(|A| A. 


Proof. Because B is valid, there exists Z with empty annotations sets such that Z —* B. 
The proof is by induction on the number of machine steps. There are two kinds of transition 
leading to a backward configuration. The first possibility is that the root operator of A is 


not pattern-matched in the mode m. In that case, we have directly —(|A| Z). 


jm w P(D | | 
In the second case, we have rules p; = - parsing the root operator op 
ont) m v, 
of A, and the machine has taken the default step where none of the rules apply. Let o be a 
grounding substitution such that op(vy,V)o = A and €0 = E. If none of the rules applies 


because the predicates are not satisfied, then we have directly —(|A| R 
Otherwise, we have ¢(m;, fio) € an(eic) for some rules. Because we start from Z 
with empty annotation sets, for each of such rules, the annotation has been added in 
the machine run before getting to B: there exist B; such that Z —* B; -* B, B; = 
fici 


(ni; eia | fidiYbm;, and ó(mi, foi) = d(m;, fic). By induction, we have —(leżo| —*m,.), 


which implies —(|e;o| dd by Lemma 24. As a result, the premises of the rules do not 


hold, so none of the rules themselves applies to A. We have —(|A| > as required. H 


D.3 Semantics Derivation Implies Machine Run 


A zipper transition can be reflected as a machine run which never backtracks, just by 
mimicking the derivation tree. 


> Lemma 26. If T Ls, T’, then for all valid configuration C = (A;m|E)m such that 
|A| = T, there exists A’ such that C >* (A, and |A'| = TT. 


Proof. By induction on the size of the derivation p1,..., Pn T ee T’. If n = 1, then we 
apply an axiom, and the corresponding machine step applies directly. 
e! EN Ut (à) " 
Otherwise, we apply the rule p; = > for some o such that (e; m 
€t m Ut 


w)o = T E, T. Let C = (ela 3(p,,an(A))::7| fom. We show that we can apply 


the forward step corresponding to pı, i.e., C > C’. The step cannot apply only if the 
annotation prevents it: suppose we have ¢(m’, fa) € an(e/o). Because C is valid, it is 
derived from an initial configuration Z without annotations, so the annotation has been 


added in an intermediary backward configuration: there exist A", o”, and zl such that 
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Lo* o: A" | fo bm * C, |A"| = ela, and pm, fo’) = om, fo). By Lemma 25, we 


have —(| A" ELANA which implies —(|A" A) by Lemma 24. We have a contradiction, 


since H (eq ERY vo holds. Therefore we have ó(m', fa) d an(e/o) and C > C. 


We also have po,....pn H (e Lr ele, so by induction there exists A’ such that 
C' —* (A54 and |A'| = T’, from which we can conclude the proof. E 


A direct consequence is that the machine is complete w.r.t. semantics derivations. 
» Theorem 27. For all - T —z T', we have (||T||P)zs >* CITT Des, 


We show that the machine is also complete w.r.t. normal forms, i.e., if a term cannot 
reduce in the semantics, the machine ends in the machine state for normal forms (sr. The 
following lemma expresses the idea that if a term cannot reduce in a given mode, any path 
from a forward configuration corresponding to these term and mode goes through a backward 
configuration of this term and mode. 


> Lemma 28. If —(T Świ then for all valid configuration C = (Aim|E)m such that 
|A| = T, for all search path C —* C', there exists A’ such that either C! —* <r; A! | E)pm or 
d A | E)bm >* C with |A’ =T. 

Proof. We proceed by induction on the metric of the zipper semantics, and distinguish two 
cases. If the root operator of the zipper semantics is not parsed in m, then the only machine 
step possible from C is the step to (r; A’ | Eygm, where A’ is A where the annotation set of 
its root operator is extended with ¢(m, E), so the result holds. 


e; M Ut Don) 


Otherwise, there exist rules pi parsing the root operator op of T. 


op(v) Le Ut 
Let n be the number of rules for which P; is satisfied and ó(m;, fio) € an(eicg) for o a 
grounding substitution such that op(vs,0) = A and èo = E; this is the number of forward 
configurations C’ than can be reached in one step from C. We prove the result by an inner 
induction on n. If n = 0, then no forward step is possible, and only the step to (r; A' | Eypm 
can be done, where A’ is as above. 

Otherwise, we can make a forward step (A; x | E) — (ela; (pj, an(A)) :: r | fo)w, for 


; ja dic i 2d 
some j. However, we have —(|eja| ps), otherwise T could do a m-transition. Because 


s is smaller than ET according to the zipper semantics metric, we can apply the 
outermost induction hypothesis. There exists A’ such that Zeie ; (pj, an(A)) :: m | jm: ra? 
K J 
((pj, an(A)) ::r;A | Jj0)bm, and |A'| = |e2c|. By construction, the only possible next step 
is to undo p;, so that ((p;,an(4))::m;A | Dow > <A" ix | Es, where A” differs from A 
J 
only in their annotations sets. In particular, A" can no longer do the step corresponding 
to p;, so n — 1 configurations are reachable from A". Therefore, we can conclude using the 
induction hypothesis on n. 4 


As a result, the only possible outcome for a machine run starting from a normal form is a 
normal-form configuration which cannot step further. 


> Theorem 29. If —(T —4), then any machine run from (||T||9)zs ends with (Anf such 
that |A| =T. 


The machine goes through a normal form to annotate each of its constructors from which a 
transition could trigger. Different runs produce the same annotations for each constructor, 


but generated in a different order, depending on the arbitrary choices the machine makes. 
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D.4 Machine Run Implies Semantics Derivation 


To show that a machine run encodes a derivation, we formalize the intuition that a machine 
run is well-bracketed: backward steps undo the rules applied by forward steps in the reverse 
order. To this end, we label a forward step F 4 E! and backward step B =S F with the 
rule p it applies or unapplies, and a step switching from forward to backward with v: F — B. 
We let A range over these labels. 


We define the backtrack-free closure ^ to forget about the rules that have been applied 
UPS 


and then unapplied in a sequence of machine steps. We write ===}; for a sequence 
LUN S me EE The —>p relation is defined as follows: 

Coe FZ F' FES EI FT. P 

Cer Fe Fon F Fo F' 


Backward-free steps extend regular steps with a new behavior, as we can have a yr 
step between forward configurations. In such a case, the two configurations are equal up to 
annotations: the resulting configuration contains strictly more annotations than the source 
one. The other backtrack-free steps corresponds to regular machine steps. 


> Lemma 30. A step y is between two forward configurations, a step pe is between a 
backward and a forward configuration, and Zare is either between a forward and a backward 
configuration, or two forward configurations. 


Proof. By induction on the derivation of spe < 


Given two configuration C1 and C2, we write |C1| = |C2| if they are equal up to their terms 
under focus A; and Ag, for which we have |A1| = | A5]. 


> Lemma 31. For all F y F', we have |F| = LEI. For any other transition C gier 
there exists C" such that C > C" and |C”| = IC, 


Proof. We proceed by induction on the derivation of C =" C'. The base case is straight- 
forward. If F e ye pt ET. then by the induction hypothesis, there exists F1, B5, and 
C" such that FS Fy Ra = C" and |C"| = |F'|. The first step applies p which is then 
unapplied, so one can check that |C"| = |F|, and therefore |F| = |F'| as required. 

The case F ge gr F' is easy by induction. If F Late Fo sie EI. then by the induction 
hypothesis |F| = |Fo| and Fy & JF" for some F” such that LEI! = |F"|. If Fo is able to do 
a ^ step, then so is F, since |F| = |Fo| and Fo contains more annotations than F. As a 
result, we have F :^ F" with LEI = "|, as wished. « 


A machine run can be represented as a sequence of backtrack-free steps. Given a 
configuration C, we write stack(C) for its rules stack. 


> Lemma 32. Let T be a valid initial configuration. For all T e»*5 C, there exist bises pa 
such that T 22> pr C. 

For all T+>**> C such that A # p, there exist F, p1...pn such that T Date F Cbr C 
and stack(F) = stack(C). 


The condition on stacks in the second case implies that a backtracking step after the t step 
will undo the last rule applied before F, i.e., pn. If a machine run ends with an axiom 
application, we are in the first case, and we get a backtrack-free sequence which corresponds 


to a derivation tree. 
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> Lemma 33. Let (A;r| Em be a valid configuration such that there exist p1...pn, A’ so 
that (A; m | Ey, P> (A S4 is a search path. Then o. pnt |A| Sd |A’. 


Proof. We proceed by induction on n. If n = 1, we apply an axiom. By Lemma 31, we have 
(Ain | Em > ÇA"), for some A” such that |A"| = |A'|. An instance of a machine step 


implies an instance of the axiom, therefore we have p1 + |A| I" |A’ i 

If n > 1, we apply the induction hypothesis on the sequence pa... pn to get pa... Pn + 
|A”| “+m |A'| for some A". By Lemma 31, we have (Aic | En > P, LĄ: (p1, X) : m | Ew 
where A” is such that | A"| = | A"|. Let o be the grounding substitution of this machine step, 
and vr be the rule variable designating the outcome of the transitions in the source and 
premise of pı. We have an instance of pı by considering o” which maps any w z vr to |wo| 


and vr to LA, This instance completes the derivation and we have pi ... Pn H |A| Em |A'], 
as wished. 4 


> Theorem 34. For all search path (||T|| Z4, >* (A4, we have + T 4 |A'|. 


The machine is also sound w.r.t. normal forms: if a run ends with (Ayr, then |A| is 
indeed a normal form. It is a direct consequence of Lemma 25, by considering the initial 
mode. 


> Theorem 35. Let / Aer be a valid configuration; then |A| is a normal form. 


Theorems 34 and 35 show that a run reaching an initial or a normal-form configuration 
rightfully corresponds to a zipper derivation or lack thereof. The next result states these are 
the only two outcomes, and they are exclusive. We show that any machine run eventually 
reaches an initial or normal-form configuration. If it is possible to get to any of the reducts 
of a term T when we start from (||T||254, (Theorem 27), it is no longer the case once the 
machine has done some non-deterministic choice. For instance in HOcore, if the machine 
starts exploring P | Q with P which contains a redex, then Q will be ignored. The machine 
backtracks only to undo choices that lead to a dead end, not the ones that eventually lead to 
a redex. 

Given a partial run F —* EI, either we can reach a redex from .F', or we need to 
backtrack. In the latter case, the machine backtracks as little as possible, i.e., to the first 
configuration from which we can find a redex. We formalize this idea in the next lemma, 
using backtrack-free closure. 


> Lemma 36. Let F = (A;n| Em be a valid configuration such that F =y F' and 
JA] Z, m T! for some T". 

There exists 0 < k < n such that ma all T’ Ab -Pm Verifying p1... Pk: Pry- Gen F 
JA] 2 T', there exists A’ such that Fr bf A’) and |A'| = T". > 3 for 
all k < k' <n, for all T', p, 4... Dn we have (pi... Pe Dr 1e Pr F |A| > aL y 


Pk Poi 


Proof. Consider all the derivations proving a transition H |A| Z, T', and take k as the 
length of the longest common prefix of 1... Pn with these derivations—we may have k = 0 
if s pad choice is made from the start. Er = (Agi Tk | fa be the configuration such that 
F eee, F3. We show that the machine can backtrack from F’ to a configuration equal 
to Fk up to annotations. 

If k = n, then Fk = EI and we do not need to backtrack. Suppose k < n, and let 


Fr = (Ani tn Ów We necessarily have —(|4,,| SE otherwise we would have k = n. 
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Therefore, by Lemma 28, there exists A’, such that Fp —* Gm: A’, | ESCH and |4/| = LA), 
This configuration then backtracks to a configuration equal to F,-_1 up to annotations. By 
induction, we show that we can reach 74. Then from this configuration, we can reach any 


T" verifying + |A;| Js T' by Lemma 26, hence the result holds. E 


> Theorem 37. Let F be a valid configuration. Either E —* T for some T, or F >* (Arf 
for some A. 


Finally, search paths are finite. We cannot have an infinite sequence of ^, steps, because 
the well-founded hypothesis on the zipper semantics carries over to these steps. We cannot 
have an infinite sequence of +>p steps, because each of them adds at least one annotation, 
and the number of annotations is bounded for a given term (see Lemma 38 in the appendix). 


> Lemma 38. For all Z, there exists a finite set of annotations such that for all search path 
T —* C, the annotations occurring in C are in this set. 


Proof. A partial transition, denoted by p, is a transition without its result of the form T' E 
We define the set Sr of partial transitions generated from T as follows: 
T 75 € ST; 


qm w P(@) V" 
for any p € S, for any rule p = S , for any grounding o satisfying P 
Et Zem U 


such that (e; le = p, we have (e, ER € Sr. 
The machine explores Sr until it reaches an axiom finishing the transition, and the annotations 
generated during the search are built from the the partial transitions in Sr (cf. Section 4.3). 

Let Z = OTI", We prove that Sr is finite. At each step of the process, we add a 
finite number of partial transitions, because the number of rules is finite and the number 
of suitable o is finite when we restrict them to rv(e; | For each of such o corresponds 
exactly one added premise, because the semantics is machine constructive (cf. Definition 5). 
The process itself cannot go on indefinitely, because the premises are strictly smaller than 
the conclusion according to the well-foundedness hypothesis (Definition 7). E 


> Theorem 39. For all Z, there exists a number n such that any search path T >* ... has 
length at most n. 
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